XSS Vulnerability on redcloth.org

[detournemint]

On the following example: http://redcloth.org/try-redcloth/

pasting the code: <scrIpt>alert()</scrIpt>

results in an alert box being shown to the user.

Possible Fix: Instead of using blacklisting to escape Javascript HTML, use a whitelist of allowed tags.

[detournemint]

I would be willing to try to work on this.

[joshuasiler]

That would be great! If you submit a PR we'll merge it right away

[mveytsman]

I think this isn't a filtering issue exactly.

http://redcloth.org/try-redcloth/ is just not filtering HTML, you don't need to do <scrIpt> with a capital I, a regular <script>alert(1)</script> will work just as well. When filtering html, the obfuscated script doesn't pass:

[19] pry(main)> RedCloth.new("<script>alert(1)</script>").to_html
=> "<script>alert(1)</script>"
[20] pry(main)> RedCloth.new("<script>alert(1)</script>", [:filter_html]).to_html
=> "&lt;script&gt;alert(1)&lt;/script&gt;"
[21] pry(main)> RedCloth.new("<scrIpt>alert(1)</scrIpt>", [:filter_html]).to_html
=> "&lt;scrIpt&gt;alert(1)&lt;/scrIpt&gt;"

I do think the issue is that RedCloth doesn't mention filtering in the readme.

[detournemint]

@mveytsman oh that makes way more sense. Thanks for pointing that out!